Lab 10: Set-AZKeyVaultAccessPolicy fails due to Az.KeyVault 4.10.1 module bug
Closed this issue · 2 comments
- Module 03: Secure Data and Applications
- Lab 10: Key Vault (Implementing Secure Data by setting up Always Encrypted)
- Exercise 3: Configure an Azure SQL database and a data-driven application
- Task 2: Create a policy allowing the application access to the Key Vault
- Step 5
The command quoted below at the above-referenced step and following source location fails with the following error message.
Set-AZKeyVaultAccessPolicy -VaultName $kvName -ResourceGroupName AZ500LAB10 -ServicePrincipalName $applicationId -PermissionsToKeys get,wrapKey,unwrapKey,sign,verify,listSet-AZKeyVaultAccessPolicy: The request content has one or more ambiguous paths: 'properties.networkAcls.ipRules' required for policy evaluation.
This is the result of a bug in the Az.KeyVault module version 4.10.1, documented at the below issue page:
Per the last comment by contributor BethanyZhou, Az.KeyVault 4.10.2 fixes the issue and is available via PSGallery. The next version of the Az module (following current version 10.2.0) will likely reference 4.10.2 or later, but there is "no plan to release a new Az for a sub-module's hot fix". Cloud Shell provides the current version 10.2.0 of Az at this time, and therefore the 4.10.1 version of Az.KeyVault.
The below command was also provided by the same contributor to update the Az.KeyVault module to the latest available version. Running this command prior to the above-referenced Step 5 command prevented the reported issue in our testing.
Install-Module Az.KeyVault -Repository PSGallery -Force -AllowClobberAddition of the above command or an equivalent to the instructions prior to the existing Step 5 Set-AZKeyVaultAccessPolicy command should resolve this issue. This addition likely would be removed upon the next Az release.
Important Note
The following step 5 serves as an interim procedure until the next Az version is released.
5. In the PowerShell session within the Cloud Shell pane, run the following to update the Az.KeyVault module to the latest available version.
Install-Module Az.KeyVault -Repository PSGallery -Force -AllowClobber
Something missing from the initial report is that the Cloud Shell session must be closed and reopened after running the Install-Module command, otherwise Az.KeyVault 4.10.1 will still be loaded and the Set-AZKeyVaultAccessPolicy command will still fail. There may also be a PowerShell command which can successfully reload the new version of the module without a relaunch, but I wasn't able to discover one in attempts so far.
If an instruction to relaunch the Cloud Shell session can be placed after the Install-Module command, that should allow this workaround to be effective. The Install-Module command may need to be moved from its current location to avoid clearing the previously set PowerShell variables specified in the task.